Data Sanitisation – A Complete Guide To Safe And Secure Data Erasure

💡 A study conducted by Blancco Technology Group, which included the analysis of 159 used storage drives, purchased on eBay, in the U.S., U.K., Germany, and Finland, has revealed alarming results. Sensitive data was discovered to be present on 42% of the devices, with 15% containing personally identifiable information (PII).

Furthermore, each seller Blancco interacted with, as part of the process, stated that proper data sanitisation methods had been performed so that no data was left behind.

This investigation helped highlight a major concern with data sanitisation – while sellers recognise the importance of removing data, they are in fact, using inadequate methods.

Through this blog, we will navigate across the different aspects of data sanitisation that your organisation must look into to ensure that its data remains safe and unrecoverable.

Data Sanitisation – How Is It Different From Data Deletion?

Ordinary techniques of data deletion from your organisation’s storage media do not guarantee the complete erasure of data. It is very easy for attackers to gain access to your devices and recover data – raising serious data security and privacy concerns.

Sanitisation, on the other hand, involves purposely, permanently deleting, or destroying data from a storage device. It ensures that your organisation’s sensitive data is completely erased from your assets before you dispose of or reuse them. This cleansing of devices verifies that there is no leftover data on them and that no data can be recovered, even with advanced forensic tools.

These assets might include:

• Hard Disk Drives (HDDs)

• Solid State Drives (SSDs)

• Mobile Devices

• USB Flash Drives and External Hard Drives

• Memory Cards

• Network Attached Storage (NAS)

• CDs and DVDs

• Digital Cameras and Camcorders

• Printers and Copiers

• Point of Sale (POS) Systems

• Wearable Technology

• Embedded Systems and IoT Devices

Prioritise Your Organisation’s Data Security, Privacy, and Compliance With Data Sanitisation

With the rise of targeted attacks and malicious software, instances of data breaches in organisations across all industries have become extremely common. Such attacks can pose a serious threat to your organisation’s security and privacy, in addition to affecting your brand equity, customer loyalty, and corporate partnerships, not to mention the cost of regulatory fines.

Here are a few crucial reasons for your organisation to ensure data sanitisation of its assets:

• Protection Of Sensitive Information Your organisation ****handles sensitive data, including customer information, financial records, employee details, and trade secrets. This makes it vital for you to ensure that this information is destroyed and cannot be recovered when your devices are retired or repurposed, to protect against data breaches and identity thefts. A key point to remember here is, that even data on devices no longer in use can be a source of data breaches.

• Compliance With Regulations And Laws Strict data protection and privacy laws, such as GDPR in Europe, HIPAA in the healthcare sector in the U.S., and the recently enacted DPDP Act in India, obligate organisations like yours, to ensure complete data protection of your users. Non-compliance can result in substantial fines, legal penalties, and reputational damage that might be difficult to recover from.

• Building Customer Trust And Confidence In this era of data privacy playing a significant role for organisations and customers alike, your organisation must demonstrate its commitment to data security. Effective data sanitisation practices can help your organisation maintain and enhance customer trust and brand reputation.

• Corporate Espionage Protection Securely sanitising your organisation’s data can protect against corporate espionage, where your competitors might seek to obtain your confidential information.

• Cost-Effective Data Management Storing redundant or outdated data on your organisation’s assets not only increases the risks of data breaches but also adds to your storage costs. With data sanitisation, you can efficiently mitigate these concerns.

• Environmental Responsibility Data sanitisation incorporates the safe disposal or recycling of your organisation’s electronic components. This helps to reduce your organisation’s e-waste, aligning with corporate social responsibility initiatives for environmental sustainability.

Some Key Types Of Data That Might Need To Be Sanitised

• Personal Identifiable Information (PII)

• Financial Information

• Health Records

• Corporate Information

• Intellectual Property

• Employee Data

• Customer Data

• Emails and Correspondence

• Legal Documents

• Research Data

• Educational Records

• Government Records

• Operational and Logistical Data

• Digital Credentials

• Software and Source Code
  
  

Primary Methods Of Data Sanitisation That Your Organisation Can Employ

To achieve data sanitisation, your organisation can implement any one of the following techniques:

• Physical Destruction: The most commonly used means of data sanitisation is the physical destruction of the storage media or the device it is a part of. Your organisation can incorporate two primary ways of destroying this media:

1. Using industrial shredders to break the device into pieces.

2. Using degaussers, which includes exposing the device to a strong magnetic field, which irreversibly erases data on hard disk drives (HDD) and most kinds of tapes.
   
   

   Cons:

3. It permanently damages your storage media, not allowing it to be sold or reused.

4. It is complex, expensive, and environmentally harmful.

• Data Erasure: With this technique, your organisation will have to use software to write random 0s and 1s on every sector of your storage equipment, ensuring no previous data is retained.

  Pros:

1. Validates 100% data replacement, at the byte level.

2. Helps you generate auditable reports that prove data has been successfully sanitised. Cons:

3. It is time-consuming and difficult to carry out during the lifetime of the device.

4. It requires that each decommissioned device goes through a strict sanitisation process.

• Cryptographic Erasure: When you use cryptographic erasure, you are required to use public-key cryptography, with a strong key of at least 128 bits, to encrypt all the data on your device. Once the erasure is complete, the key is discarded. Pros:

1. Without the key, the data cannot be decrypted and becomes unrecoverable. Cons:

2. It solely relies on the encryption features of your storage equipment which might not suit your needs.

3. You can encounter failures due to user errors, key management issues, or malicious actors who can intervene in the process and obtain the key before it is disposed of.

4. This technique does not meet regulatory standards for data sanitisation because, technically, the data remains on the device.

• Data Masking: To comply with data regulatory standards, the most effective, quick, and easy technique of data sanitisation is that of data masking. In this process, you create fake versions of your organisation’s data which retain their original structural properties, like replacing real customer names with other, randomly-selected names. You can use character shuffling, word replacement, and randomisation for this purpose. Cons:

1. The masked version of the data cannot be reverse-engineered to obtain the original data values.

Data Discovery For Sanitisation – Ensuring The Identification And Appropriate Handling Of Data

Data discovery is the process of identifying the data across multiple data sources of your organisation, that provides a holistic view of your organisation’s data assets.

This involves the following key stages:

• Identification, Inventory, and Documentation The first step is to identify all devices across your organisation that may contain sensitive data, including your servers, laptops, desktops, USB drives, and external hard drives. Then create a detailed inventory of these devices that includes information like their type, location, usage, and the nature of data they are likely to contain.

• Data Mapping and Classification Understand where different types of data are stored within your organisation (structured data, like database contents, and unstructured data, like files on a network drive or emails) and classify them based on their sensitivity and the applicable regulatory requirements. For example, personally identifiable information, financial records, and health information often require stricter sanitisation methods.

• Risk Assessment Assess the risk associated with each type of data. For example, higher-risk data, which would cause more damage if breached, may require more stringent sanitisation methods.

• Selecting Appropriate Sanitisation Methods Based on the classification and risk assessment of your data, pick the most appropriate sanitisation methods for each data type or device.

• Execution of Sanitisation Carry out the sanitisation process, ensuring that the process is thorough and complies with any relevant legal or regulatory standards. Automated data diagnostics and erasure tools in the market, like Securaze, help your organisation effectively carry out this process for your devices. Securaze effectively takes care of this step to ensure the complete sanitisation of your organisation’s IT hardware assets for reuse, resale, or repurposing so that all your sensitive data is safe and secure against potential threats

• Verification and Certification Once sanitisation is over, verify that the data has indeed been irrecoverably destroyed. In some cases, you might need to provide a certification or report from third-party verification to confirm that the sanitisation has been completed correctly.

• Updation of Inventory and Documentation Next, update your inventory and documentation to reflect the actions taken which can serve as a record of compliance and can be crucial for audits. For example, Securaze offers global asset inventory features, that help you track the data erasure status of every device, regardless of where it is located. This EasyID system, which is owned and patented by Securaze, constitutes a letter and number tag inside the app for each device. Additionally, each USB hub is assigned a letter, and each wire connected to your device has a sticker attached with the corresponding number displayed on the device screen.

• Continuous Monitoring and Review Data discovery and sanitisation is not a one-time process and requires regular reviews and monitoring to ensure new data is identified and handled appropriately. This is essential for you to adapt to any changes in the regulatory landscape or operations of your organisation.

With the continued growth of big data and the increasing importance of data security, data sanitisation is poised to become an essential part of your organisation’s information management strategy.